What is claimed is: 



1. A network authentication apparatus comprising: 
a network interface unit connected with a network and 
5 transmitting/receiving a packet; 

a packet relay unit for relaying a received packet in 

accordance with a destination address of the received packet; 

and 

a filtering processing unit for judging whether to relay 
10 the received packet to the packet relay unit or discard the packet 
in accordance with two or more of a destination MAC address, 
destination IPv6 address, source MAC address, source IPv6 address 
and source IPv6 interface ID contained in the received packet. 

15 2 . The network authentication apparatus as claimed in claim 

1, 

wherein the filtering processing unit judges whether to 
relay the received packet to the packet relay unit or discard 
the packet in accordance with at least the destination MAC 
20 address , and, source IPv6 address or source IPv6 interface ID. 

3 • The network authentication apparatus as claimed in claim 

If 

wherein the filtering processing unit further comprises: 
25 a filtering information storage unit for storing at least 

a destination MAC address , and, source MAC address or source IPv6 
address or source IPv6 interface ID ,and, judgment information 
representing relay or discard in association with each other; 
and 

30 a processing unit for comparing the destination MAC address 
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and source MAC address or source IPv6 address or source IPv6 
interface ID contained in the received packet with the destination 
MAC address and source MAC address or source IPv6 address or source 
IPv6 interface ID stored in the filtering information storage 
5 unit, and when the addresses match with each other, j udging whether 
to relay the received packet to the packet relay unit or discard 
the packet in accordance with the judgment information associated 
with each address. 

10 4 . The network authentication apparatus as claimed in claim 

1, 

wherein the filtering processing unit comprises: 
a MAC filtering unit for judging whether to relay the 
received packet to the packet relay unit or discard the packet 
15 in accordance with the destination MAC address or source MAC 
address contained in the received packet; and 

an IP filtering unit for judging whether to relay the 
received packet to the packet relay unit or discard the packet 
in accordance with the source IPv6 address or source IPv6 interface 
20 ID contained in the received packet. 

5 . The network authentication apparatus as claimed in claim 

4, 

wherein the filtering processing unit further comprises: 
25 a filtering information storage unit for storing at least 

a destination MAC address , and, source MAC address or source IPv6 
address or source IPv6 interface ID ,and, judgment information 
representing relay or discard in association with each other. 

30 6. The network authentication apparatus as claimed in claim 
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4, 

wherein the MAC filtering unit further comprises: 

a MAC filtering information storage unit for storing a 

destination MAC address and source MAC address and judgment 
5 information representing relay or discard in association with 

each other; and 

the IP filtering unit further comprises: 

an IP filtering information storage unit for storing a 
destination MAC address , and, source IPv6 address or source IPv6 
0 interface ID , and, judgment information representing relay or 
discard in association with each other. 



7 . The network authentication apparatus as claimed in claim 

6, 

15 wherein the MAC filtering unit compares the destination 

MAC address or source MAC address contained in the received packet 
with the destination MAC address or source MAC address stored 
in the MAC filtering information storage unit, and when the 
addresses match with each other, judging whether to relay the 

20 received packet to the packet relay unit or discard the packet 
in accordance with the judgment information associated with the 
destination MAC address or source MAC address; and 

the IP filtering unit compares the source IPv6 address or 
source IPv6 interface ID contained in the received packet with 

25 the source IPv6 address or source IPv6 interface ID stored in 
the IP filtering information storage unit, and when the addresses 
or interface IDs match with each other, judging whether to relay 
the received packet to the packet relay unit or discard the packet 
in accordance with the judgment information associated with the 

30 source IPv6 address or source IPv6. interface ID. 
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8 . The network authentication apparatus as claimed in claim 
1, further comprising: 

an authentication unit for receiving an authentication 
5 request from an arbitrary information terminal device connected 
to the network interface unit via a network and executing 
authentication on the basis of predetermined information related 
to the arbitrary information terminal device. 

10 9 . The network authentication apparatus as claimed in claim 

wherein the authentication unit has an authentication 
information storage unit for storing user ID, password , and, IPv6 
interface ID or MAC address in associated with each other, and 
15 performs authentication by comparing user ID, password , and, IPv6 
interface ID or MAC address received from the arbitrary 
information terminal device with the user ID, password ,and, IPv6 
interface ID or MAC address stored in the authentication 
information storage unit. 

20 

10 . The network authentication apparatus as claimed in claim 
1, further comprising: 

a security control unit for generating or exchanging a key 
for packet encryption or decoding for each communication 
25 counterpart, using a key exchange protocol; and 

a security processing unit for executing authentication 
of at least the received packet, using the key generated by the 
security control unit. 

30 11. A network authentication system comprising: 



51 



an authentication server for receiving an authentication 
request from an arbitrary information terminal device connected 
via a network and executing authentication on the basis of 
predetermined information related to the arbitrary information 
terminal device; and 

a network node device connected to the network and relaying 
a packet received from the network; 

wherein the network node device having: 

a network interface unit connected with the network and 
transmitting/receiving a packet; 

a packet relay unit for relaying a received packet in 
accordance with a destination address of the received packet; 
and 

a filtering processing unit for judging whether to relay 
the received packet to the packet relay unit or discard the packet 
in accordance with two or more of a destination MAC address, 
destination IPv6 address, source MAC address, source IPv6 address 
and source IPv6 interface ID contained in the received packet; 

and wherein the filtering processing unit relays only a 
packet addressed to the authentication server to the packet relay 
unit, of packets sent from an arbitrary information terminal 
device that is not authenticated by the authentication server. 

12. The network authentication system as claimed in claim 

11, 

wherein the filtering processing unit of the network node 
device further comprises:, 

a filtering information storage unit for storing at least 
a destination MAC address ,and, source MAC address or source IPv6 
address or source IPv6 interface ID,., and, judgment information 
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representing relay or discard in association with each other; 
and 

a processing unit for comparing the destination MAC 
address , and, source MAC address or source IPv6 address or source 
IPv6 interface ID contained in the received packet with the 
destination MAC address , and, source MAC address or source IPv6 
address or source IPv6 interface ID stored in the filtering 
information storage unit, and when the addresses match with each 
other, judging whether to relay the received packet to the packet 
relay unit or discard the packet in accordance with the judgment 
information associated with each address. 

13. The network authentication system as claimed in claim 

12, 

wherein the authentication server includes an instruction 
issuing unit for instruction addition of information of the 
arbitrary information terminal device when the arbitrary 
information terminal device is authenticated; 

the network node device includes a change unit for newly 
registering the MAC address or IPv6 address or IPv6 interface 
ID of the arbitrary information terminal device as the source 
MAC address or the source IPv6 address or the source IPv6 interface 
ID into the filtering information storage unit together with the 
judgment information representing relay in accordance with an 
instruction from the authentication server; and 

the filtering processing unit relays a packet sent from 
the arbitrary information, terminal device authenticated by the 
authentication server, to the packet relay unit. 

14. The network authentication system as claimed in claim 
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wherein the filtering processing unit of the network node 
device further comprises: 

a MAC filtering unit for judging whether to relay the 
received packet to the packet relay unit or discard the packet 
in accordance with the destination MAC address or source MAC 
address contained in the received packet; and 

an IP filtering unit for judging whether to relay the 
received packet to the packet relay unit or discard the packet 
in accordance with the source IPv6 address or source IPv6 interface 
ID contained in the received packet. 

15. The network authentication system as claimed in claim 

14, 

wherein the filtering processing unit of the network node 
device further comprises: 

a filtering information storage unit for storing at least 
a destination MAC address, source MAC address, source IPv6 address 
or source IPv6 interface ID in association with judgment 
information representing relay or discard; 

the MAC filtering unit compares the destination MAC address 
or source MAC address contained in the received packet with the 
destination MAC address or source MAC address stored in the 
filtering information storage unit, and when the addresses match 
with each other, judging whether to relay the received packet 
to the packet relay unit or discard the packet in accordance with 
the judgment information .associated with the destination MAC 
address or source MAC address, and 

the IP filtering unit compares the source IPv6 address or 
source IPv6 interface ID contained in the received packet with 
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the source IPv6 address or source IPv6 interface ID stored in 
the filtering information storage unit, and when the addresses 
or interface IDs match with each other, judging whether to relay 
the received packet to the packet relay unit or discard the packet 
in accordance with the judgment information associated with the 
source IPv6 address or source IPv6 interface ID. 

16. A switch apparatus comprising: 

plural network interface units connected with a network 
and transmitting/receiving packets; 

a packet switch unit for relaying a received packet between 
the plural network interface units in accordance with a 
destination address of the received packet; and 

a filtering processing unit for judging whether to relay " 
a received packet to the packet switch unit or discard the packet 
in accordance with two or more of a destination MAC address, 
destination IPv6 address, source MAC address , source IPv6 address 
and source IPv6 interface ID contained in the received packet. 
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